In conventional physical or proximity transactions, there are many ways to verify that a user utilizing a portable device to make a transaction is indeed the user authorized to use that portable device. For example, a user may use a portable device that has been securely issued by their bank, such as a credit card with a mag stripe or a debit card with a contactless chip, to interact with an access device at a merchant to make a payment. The data from the mag stripe and a physical signature (for example) can be used to authenticate the user as the authorized user of the portable device. Or the contactless chip on the portable device can exchange data with the access device to provide further authentication and security. This data can additionally be sent to an authorization server such as at a payment processing network or issuer to compare it with stored data to authenticate the user or portable device.
Remote transactions are becoming more and more common place. There are a number of security and usability issues with remote transactions that do not exist in physical or proximity transactions. For example, a user may use his portable device, such a credit card with a mag stripe or a debit card with a contactless chip, to make a purchase at a merchant via the merchant's website. Instead of swiping the card at an access device so that the mag stripe or chip on the card can interact with the access device to exchange information, the user simply inputs his account number and expiration date (for example). Since there is no physical or proximity interaction with the portable device, traditional means of providing authentication and additional security are not effective.
There are some solutions that have emerged to address issues of authentication in remote transactions. One example is 3D Secure which allows entities such as Visa, MasterCard, and American Express to provide additional means to authenticate a portable device. For example, a password based method may be used which requires a user to register a password and then to input the password during each remote purchase transaction. This can be burdensome to the user whose payment experience may be interrupted to setup and register a password, and then to remember and enter the password for every remote transaction. Such a solution can also be expensive for a merchant or other entity to implement and maintain. Moreover, this solution can introduce other security issues. For example, password based solutions typically require a pop-up window to appear during the user's payment transaction. It may be difficult for the user to distinguish between a legitimate pop up window and a fraudulent phishing site. An inline frame may be used instead of a pop-up to reduce user confusion, but this may make it even harder for a user to verify that the inline frame is genuine. In addition, a user may not be allowed to proceed with a payment until they have registered a 3D Secure password. If a user does not want to risk providing the information during the purchase (or cannot remember the password), the user may have to cancel the transaction. Furthermore, many mobile browsers may not support inline frames or pop-ups and thus, the security feature may not work correctly on many mobile devices.
A more secure and effective way to authenticate users and portable devices is needed.